Data Protection Commissioner made findings against An Garda Síochána and Department of Justice

The Data Protection Commissioner examined an allegation about the alleged misuse of CCTV in an accommodation centre, specifically in relation to remote access by staff to live footage via a smartphone.

In her annual report for 2017, the commissioner said allegations of inappropriate video recording of residents by staff using their personal smartphones was alleged.

“We determined there was no evidence of any breach of the Data Protection Acts with regard to any of the allegations,” the report said.

From the outset, the office engaged with the Reception and Integration Agency to ensure a generic CCTV policy would be drawn up and issued to all accommodation centres.

“We noted the finalised CCTV policy confines the use of CCTV to a narrow set of purposes namely the security, health, and safety of both residents and staff and the explicit restriction placed on smartphone/remote access to CCTV footage except in emergencies,” the report said.

“In terms of transparency, the inclusion of a notice regarding CCTV in the letter of acceptance signed by all residents prior to taking up residence is to be welcomed, as is the commitment to incorporate CCTV and data protection into the inspections of accommodation centres which are published on the RIA website.”

The office said it would continue to monitor this area closely and had issued general advice to a wide range of entities audited in 2017 concerning the inappropriate use of CCTV to monitor individuals either on-site or remotely.

It said organisations usually deploy CCTV for security purposes, which can be deemed to be “justifiable and proportionate in scenarios of ongoing theft”.

“However, other uses of CCTV would also need to be justified and proportionate. For example, continuous monitoring of employees for performance issues would likely fail the proportionality test.”

The office said CCTV should not be used as an alternative to the effective supervision of employees, “either on-site or remotely”.

“Remote access to CCTV footage via smartphones, tablets etc. is becoming more commonplace and is clearly advantageous in situations such as monitoring an empty building. However, there would need to be a very high level of justification required for remotely monitoring employees during the course of carrying out their normal daily working duties.”

Thirty-four formal decisions were issued by the commissioner in 2017, including one against An Garda Síochána for failing to ensure the safe storage of the sensitive personal data of a couple, including medical details, contained in an evidence file.

The annual report said an officer had failed to return the file to the district office for filing. Following investigations by An Garda Síochána and the Garda Siochana Ombudsman Commission, the officer in question had been disciplined and sanctioned for the contravention.

The commissioner also issued a finding against the Department of Justice after it uploaded information about an employee of the department’s health to a general departmental database. The report remained on the database for up to three years where it could be accessed by up to 80 employees, but the department was unable to identify how many times and by how many different staff members it had been accessed.

“This case is a stark illustration of the consequences for a data subject and general distress which can be caused where the data controller fails to ensure that its staff have adhered to, and continue, to adhere to proper document management protocols for documents containing personal data and moreover, sensitive personal data,” the office said.